Tracking zero day -- all you IE7 users

I'm assuming firefox and opera are not included.

Already patched last week...

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


National Cyber Alert System

Technical Cyber Security Alert TA08-352A


Microsoft Internet Explorer Data Binding Vulnerability

Original release date: December 17, 2008
Last revised: --
Source: US-CERT


Systems Affected

* Microsoft Internet Explorer
* Microsoft Outlook Express
* Other software that uses Internet Explorer components to render documents


Overview

Microsoft Internet Explorer contains an invalid pointer
vulnerability in its data binding code, which can allow a remote,
unauthenticated attacker to execute arbitrary code on a vulnerable
system. Exploit code for this vulnerability is publicly available
and is being actively exploited.


I. Description

Microsoft Internet Explorer contains an invalid pointer
vulnerability in its data binding code. When Internet Explorer
renders a document that performs data binding, it may crash in a
way that is exploitable to run arbitrary code. Any program that
uses Internet Explorer's MSHTML layout engine, such as Outlook
Express, may be at risk. Further details are available in US-CERT
Vulnerability Note VU#493881.


II. Impact

By convincing a user to view a specially crafted document that
performs data binding (e.g., a web page or email message or
attachment), an attacker may be able to execute arbitrary code with
the privileges of the user.


III. Solution

Apply an update

This issue is addressed in Microsoft Security Bulletin MS08-078.
This update provides new versions of mshtml.dll and wmshtml.dll,
depending on the target operating system. More details are
available in Microsoft Knowledge Base Article 960714.

Disable Active Scripting This vulnerability can be mitigated by
disabling Active Scripting in the Internet Zone, as specified in
the Securing Your Web Browser document. Note that this will not
block the vulnerability. IE still may crash when parsing specially
crafted content. Disabling Active Scripting will mitigate a common
method used to achieve code execution with this vulnerability.
Enable DEP in Internet Explorer 7 Enabling DEP in Internet
Explorer 7 on Windows Vista can help mitigate this vulnerability by
making it more difficult to achieve code execution using this
vulnerability.

Additional workarounds

Microsoft Security Bulletin MS08-078 provides additional details
for the above workarounds, as well as other workarounds not listed
here. These workarounds are further explained in the Microsoft SWI
Blog.


IV. References

* Microsoft Security Bulletin MS08-078 -
<https://www.microsoft.com/technet/security/bulletin/ms08-078.mspx>

* MS08-078: Security update for Internet Explorer -
<http://support.microsoft.com/kb/960714>

* Microsoft Security Advisory (961051) -
<http://www.microsoft.com/technet/security/advisory/961051.mspx>

* Update on Internet Explorer 7, DEP and Adobe Software -
<http://blogs.msdn.com/michael_howard/archive/2006/12/12/update-on-internet-explorer-7-dep-and-adobe-software.aspx>

* Data Binding -
<http://msdn.microsoft.com/en-us/library/ms531388(vs.85).aspx>

* MSHTML Reference -
<http://msdn.microsoft.com/en-us/library/aa741317.aspx>

* US-CERT Vulnerability Note VU#493881 -
<http://www.kb.cert.org/vuls/id/493881>

* Securing Your Web Browser -
<https://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer>

____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA08-352A.html>
____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA08-352A Feedback VU#493881" in
the subject.
____________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________

Produced 2008 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________

Revision History

December 17, 2008: Initial release


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBSUloq3IHljM+H4irAQJ5WggAilfQXBGc2UPVScZTIA81uf0dloPwzgJF
xM5M5r0a5j8Km5g5mHdhzqs4Ni1DY0enftvm6JeagUmOzVPzOGemqXxTeAx/G6ZD
ttW687bsX9OdDJ2cmq6EixRwgVPR6kVnSK5s/MLw8yYWg7RS0lY0Mrc42QUL2GXR
KKBb3redelGZ6Szm5PKOcumYSP9bsQtxOqGZUx+d3l9cDeIDPn3c2aHFSkPP5mGr
LyEEqXw5+ifpx6v1gGyRyFOtFHP2QBSOOrnt05S0KTuoBJQ9QtyC9TEyGVwWjeq8
68BuGiOakwNdsjpFLLjW4W34N3oXnGFKh6jXAi4KW3d9wcIidZj0+w==
=T3zy
-----END PGP SIGNATURE-----

As I don't use IE at home I know I'm safe on that one. Whilst good to block the domains (I just immunize through Spybot S&D) if you had auto update on you were patched as of the 18th.

http://news.bbc.co.uk/1/hi/technology/7788687.stm

Firefox is the one I use. Wherever I go.

I just use my fingers... [/Zippy]

Wingding - The Irish Bidet

I was actually thinking more why you get so much of it thrown at you... [/Season of good will]

Work wants me to use ie6, i tried ie7 and am using firefox. I dunno why, but firefox just does it for me (ease of addons and speed).

IE6... Good Me, that's horrible.

We are on XP / Office 2K3 / IE6. We are also running plenty of Win2K / Office 2K2.

Vista next year but much of the eye candy will be disabled. I also don't know if there will be a new office standard or if it will be 2K3 still.

Hell, we just got rid of OS/2 either early this year or late last year.

Funny I just ran across this about XP.

http://www.internetnews.com/softwa [...] ension.htm

So Microsoft - once again - admits that Vista was a cockup. No surprises there.

*carefully rolls around on the floor laughing*

Well said chimp, i can't see what all the fuss was about, unless you used nvidia, in that case it was the os that was at fault.

Mmmmm, Lets see:

Key Vista features
Slower. than predecessor............................Check
Bigger foot print...........................................Check
Steals more of the resources it allows.........Check
Pathetic HW support....................................Check
fukced up installation routine......................Check
DX10............................................................who giives a crap
Lauched without file system .......................Check ala ME/XP
"Improved security".....................................Only according to MS and the fanteam. It is MS. Bo dont know didly and MS dont know security from Bill Gates crab ridden pubes

Other possible causes?
released prematurely?
People sick of MS rolling out OS after OS out every few years just to drain the wallets?(which might be ok if they offered something that actually worked prior to the first few SPs)
The 'wonderous' advances the fan team touted were wonderous only to the fan team.


Some of the best comments Ive seen regarding Vista After SP1
-"its almost as good as XP now"
-"Its not such a piece of sh-i-t anymore"

Personally, I would much rather pay a subscription then have MS try and force and industry turnover every 4 years so they can keep their wallest fat.

Just like the delights in my pants.

Wanna see my latest infestation?

Vista is an overpriced piece of sh!t. I could fit my copies of XP on CD, Vista costs my a blank DVD. Robbing twats.

I have had, as have plenty of others, no problems with vista. Then again, i didn't have any problems that i recall with xp. meh.

No one is forcing anything, however, drivers and hardware is not windows job to make work. You not needing it does not make it bad.

The initial outrage from everything i have heard says that it was less to do with microsoft and more to do with end-users and OEM's not using good enough hardware.

Many will disagree but there has been nothing wrong with it for even people using it from the start. True i only got it because i was building new and it had already been out for a good while but even so, at the start it was not all microsoft's fault, indeed how much is debatable.

And where did i say that?

I never said it was worth upgrading to, just that it is not a bad OS and no worse than xp that is for sure.

The ONLY devices that I've had issues on with Vista was a $20 TV card that didn't work and my NAS, which I dislike anyway, and it's not a Vista issue, it's a 64-bit issue. They are refusing to make 64-bit drivers for the NetGear SC101.

The TV card was a dud, but it was old and a left over. I did, however, become quite enamoured with the Vista Media Center, so much so that I'm planning on building another Vista box just for TV capture. I've got all the parts left over from my last build, well, almost, all I need is a better (supported) TV card and a larger HDD. Possibly a case just because I don't know if I like any of the beige ones I have sitting around at home. I have to take my existing PC and see how the newer video cards display on a 55" non-HDTV. That's one of my concerns, the other being cash...

Windows Home Server is actually quite nice. . .

EDIT: Although I've been running Windows Server 2003, since I already paid for it with my MSDN subcription back in the day.

Why was XP replaced by the 'new, wonderful/new, horrible' Vista?

From an XP-user's perspective - one who gave Vista a chance, didn't like it, then gave Vista SP1 a chance and liked it only slightly more than Vista SP0 - XP did everything I wanted. The only new bits Vista have are a funky new look and (WOW!!!!! OMG!!!!! ROFL!!!!! whatever!!!!!) DirectX 10!

DX10 has been hacked to work under XP. Yay.
You get wonderful mods for XP to give it similar/the same appearance as Vista (and this includes Aero) if you want them. Yay.

Personally, Vista is basically as nice (for me to use) as XP, only it won't (tested) support a hell of a lot of legacy apps that XP still (patchily, true) does, a lot of which I use in the line of my daily work. And it comes with more DRM (allegedly) and security holes. I, personally, prefer XP (but that's probably because my XP theme makes it look like 98 did...).

XP versus Vista: Which is better?

Discuss.

Vista blows dead elves. Necromanitcally conditioned dead elves.

Pretty much everything that is coming out in this thread against Vista was used by people staying on Win2K when XP came out. That having been said I'm just deciding if I'm going Fedora or Ubuntu for 2009.